Issue Details (XML | Word | Printable)

Key: MAGNOLIA-2021
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Blocker Blocker
Assignee: Philipp Bärfuss
Reporter: Philipp Bärfuss
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Magnolia

activation: security hole if you activate a new item

Created: 24/Jan/08 02:51 PM   Updated: 17/Mar/09 07:49 PM
Component/s: activation
Affects Version/s: 3.5.3
Fix Version/s: 3.5.4

Time Tracking:
Not Specified

Issue Links:
relation
 

Labels:
Resolution Date: 24/Jan/08 02:52 PM
Date of First Response: 24/Jan/08 02:54 PM


 Description  « Hide
The url /ActivationHandler is not protected and if you activate a new item the security checks are bypassed (import)

As from 3.5.4, the default activation URL is .magnolia/activation - The old url is supported through a VirtualURI

 All   Comments   Work Log   Change History      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Philipp Bracher [old account - now Philipp Bärfuss] added a comment - 24/Jan/08 02:54 PM
On 3.5 instances before 3.5.4 make sure that the url /ActivationHandler is protected (deny access to the anonymous role)

[ Permlink | « Hide ]
Grégory Joseph added a comment - 24/Jan/08 06:19 PM
please link related issues when appropriate - please use the multiple jira IDs in svn commit messages when appropriate


Powered by a free Atlassian JIRA open source license for Magnolia International Ltd.. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators